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Abstract. One-counter processes (OCPs) are pushdown processes wiiich operate only on a unary 
stack alphabet. We study the computational complexity of model checking computation tree logic 
(CTL) over OCPs. A PSPACE upper bound is inherited from the modal /^-calculus for this problem. 
First, we analyze the periodic behaviour of CTL over OCPs and derive a model checking algorithm 
whose running time is exponential only in the number of control locations and a syntactic notion of 
the formula that we call leftward until depth. Thus, model checking fixed OCPs against CTL formu- 
las with a fixed leftward until depth is in P. This generalizes a result of the first author, Mayr, and To 
for the expression complexity of CTL's fragment EF. Second, we prove that already over some fixed 
OCP, CTL model checking is PSPACE-hard. Third, we show that there already exists a fixed CTL 
formula for which model checking of OCPs is PSPACE-hard. For the latter, we employ two results 
from complexity theory: (i) Converting a natural number in Chinese remainder presentation into bi- 
nary presentation is in logspace-uniform NC^ and (ii) PSPACE is AC"-serializable. We demonstrate 
that our approach can be used to answer further open questions. 



1. Introduction 

Pushdown automata (PDAs) (or recursive state machines) aie a natural model for sequential 
programs with recursive procedure calls, and their verification problems have been studied ex- 
tensively. The complexity of model checking problems for PDAs is quite well understood: The 
reachability problem for PDAs can be solved in polynomial time [4, JOJ. Model checking modal 
/x-calculus over PDAs was shown to be EXPTIME-complete in |[29l . and the global version of the 
model checking problem has been considered in |[7l|2T]|22l. The EXPTIME lower bound for model 
checking PDAs also holds for the simpler logic CTL and its fragment EG [28], even for a fixed 
formula (data complexity) [5] or a fixed PDA (expression complexity). On the other hand, model 
checking PDAs against the logic EF (another natural fragment of CTL) is PSPACE-complete |28], 
and again the lower bound still holds if either the formula or the PDA is fixed [4 |. Model checking 
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problems for various fragments and extensions of PDL (Propositional Dynamic Logic) over PDAs 
were studied in fT2l|. 

One-counter processes (OCPs) are Minsky counter machines with just one counter. They can 
also be seen as a special case of PDAs with just one stack symbol, plus a non-removable bottom 
symbol which indicates an empty stack (and thus allows to test the counter for zero) and hence con- 
stitute a natural and fundamental computational model. In recent years, model checking problems 
for OCPs received increasing attention |[T3l[T5ll23ll25ll . Clearly, all upper complexity bounds carry 
over from PDAs. The question, whether these upper bounds can be matched by lower bounds was 
just recently solved for several important logics: Model checking modal /i-calculus over OCPs is 
PSPACE-complete. The PSPACE upper bound was shown in [23], and a matching lower bound 
can easily be shown by a reduction from emptiness of alternating unary finite automata, which was 
shown to be PSPACE-complete in lITSl fT9l . This lower bound even holds if either the OCP or the 
formula is fixed. The situation becomes different for the fragment EF. In |13|, it was shown that 
model checking EF over OCPs is in the complexity class P'^^ (the class of all problems that can be 
solved on a deterministic polynomial time machine with access to an oracle from NP). Moreover, if 
the input formula is represented succinctly as a directed acyclic graph, then model checking EF over 
OCPs is also hard for P'^^. For the standard (and less succinct) tree representation for formulas, 
only hardness for the class P^P[i°g] (the class of all problems that can be solved on a deterministic 
polynomial time machine which is allowed to make 0(log(n)) many queries to an oracle from NP) 
was shown in fT3l. In fact, there already exists a fixed EF formula such that model checking this 
formula over a given OCP is hard for pi^PIios], i.e., the data complexity is P^'^[^°sl-hard. 

In this paper we consider the model checking problem for CTL over OCPs. By the known 
upper bound for the modal /i-calculus f23l this problem belongs to PSPACE. First, we analyze 
the combinatorics of CTL model checking over OCPs. More precisely, we analyze the periodic 
behaviour of the set of natural numbers that satisfy a given CTL formula in a given control location 
of the OCP (Thm. 14.11) . By making use of Thm. 14. 1[ we can derive a model checking algorithm 
whose running time is exponential only in the number of control locations and a syntactic measure 
on CTL formulas that we call leftward until depth (Thm. l4!2l) . As a corollary, we obtain that model 
checking a fixed OCP against CTL formulas of fixed leftward until depth lies in P. This generalizes 
a recent result from fT3l . where it was shown that the expression complexity of EF over OCPs 
lies in P. Next, we focus on lower bounds. We show that model checking CTL over OCPs is 
PSPACE-complete, even if we fix either the OCP (Thm.ES) or the CTL formula (Thm.|T2ll. The 
proof of Thm. 15.31 uses a reduction from QBF. We have to construct a fixed OCP for which we 
can construct for a given unary encoded number i CTL formulas that express, when interpreted 
over our fixed OCP, whether the current counter value is divisible by 2* and whether the bit in 
the binary representation of the current counter value is 1, respectively. For the proof of Thm. 17.21 
(PSPACE-hardness of data complexity for CTL) we use two techniques from complexity theory, 
which to our knowledge have not been applied in the context of verification so far: (i) the existence 
of small depth circuits for converting a number from Chinese remainder representation to binary 
representation and (ii) the fact that PSPACE-computations are serializable in a certain sense (see 
Sec. [6] for details). One of the main obstructions in getting lower bounds for OCPs is the fact that 
OCPs are well suited for testing divisibility properties of the counter value and hence can deal with 
numbers in Chinese remainder representation, but it is not clear how to deal with numbers in binary 
representation. Small depth circuits for converting a number from Chinese remainder representation 
to binary representation are the key in order to overcome this obstruction. 

We are confident that our new lower bound techniques described above can be used for proving 
further lower bounds for OCPs. We present two other applications of our techniques in Sec. [D 
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(i) We show that model checking EF over OCPs is complete for P even if the input formula is 
represented by a tree (Thm. 18.11 ) and thereby solve an open problem from fTT\. (ii) We improve a 
lower bound on a decision problem for one-counter Markov decision processes from [6 j (Thm. [8^ . 
The following table summarizes the picture on the complexity of model checking for PDAs and 
OCPs. Our new results are marked with (*). 



Logic 


PDA 


OCP 


modal /x-calculus 


EXPTIME-complete 


PSPACE-complete 


modal /x-calculus, fixed formula 


EXPTIME-complete 


PSPACE-complete 


modal /x-calculus, fixed system 


EXPTIME-complete 


PSPACE-complete 


CTL, fixed formula 


EXPTIME-complete 


PSPACE-complete (*) 


CTL, fixed system 


EXPTIME-complete 


PSPACE-complete (*) 


CTL, fixed system, fixed leftward until depth 


EXPTIME-complete 


in P (*) 


EF 


PSPACE-complete 


pi^^-complete (*) 


EF, fixed formula 


PSPACE-complete 


pNPliogj.hard, in P^^^ 


EF, fixed system 


PSPACE-complete 


in P 



Missing proofs due to space restrictions can be found in the full version of this paper |[T4]| . 



2. Preliminaries 

We denote the naturals by N = {0, 1, 2, . . .}. For i,i G N let [i, j] = {k e N \ i < k < j} and 
[j] = [1; j]- In particular [0] = 0. For n S N and i > 1, let bitj(n) denote the i"^ least significant 
bit of the binary representation of n, i.e., n = J2i>i ■ biti(n). For every finite and non-empty 
subset M C N \ {0}, define LCM(Af) to be the least common multiple of all numbers in M. It 
is known that 2^ < LCM([A;]) < 4^ for all fc > 9 1^. As usual, for a possibly infinite alphabet 
A, A* (resp. A^) denotes the set of all finite (resp. infinite) words over A. Let A°° = A* U A'^ 
and A'^ = A* \ {e}, where e is the empty word. The length of a finite word w is denoted by \w\. 
For a word w = aia2 ■ ■ ■ an € A* (resp. w = 0102 • • • € A'^) with a-i G A and i € [n] (resp. 
i > 1), we denote by Wi the letter aj. A nondeterministic finite automaton (NFA) is a tuple 
A = {S, S, 6, So, Sf), where 5 is a finite set of states, S is a. finite alphabet, 5C5xIlx5is the 
transition relation, sq € 5" is the initial state, and S/ C 5 is a set of final states. We assume some 
basic knowledge in complexity theory, see e.g. jTl for more details. 

3. One-counter processes and computation tree logic 

Fix a countable set V of propositions. A transition system is a triple T = {S, {Sp \ p € V}, — >), 
where S is the set of states, — )• C S x S is the set of transitions and S'p C S for all p G V with 
S'p = for all but finitely many p £ V. We write si — )• S2 instead of (si, S2) G — The set of all 
finite (resp. infinite) paths in T is path_,_(r) = {tt € \ Vi G [|7r| — 1] : tTj ^ tTj+i} (resp. 
path^(T) = {vr e 5"^ I Vz > 1 : TTj — > vrj+i}). For a subset [/ C 5 of states, a (finite or infinite) 
path TT is called a U-path if vr € U°°. 

A one-counter process (OCP) is a tuple O = (Q, {Qp \ p S V}, 60,6^0), where Q is a finite 
set of control locations, Qp Q for all p £ V with Qp = % for all but finitely many p £ V, 
(5o C Q X {0, 1} X Q is a set of zero transitions, and 5>o Q x {—1,0, 1} x Q is a set of positive 
transitions. The size of the OCP O is [0[ = \Q\ + YlpeV \Qp\ + I'^ol + \^>o\- The transition system 
defined by O is r(0) = {Q x N, {Qp x N \ p £ V}, ^), where (g, n) [q' , n + fc) if and only 
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if either n = and {q, k, q') E (5o, or n > and (g, k, q') G 5>o. A one-counter net (OCN) is an 

OCP, where 5o C (5>o- For {q, k, q') G 5o U (5>o we usually write q g'. 

More details on the temporal logic CTL can be found for instance in lH. Formulas (p of CTL 
are defined by the following grammar, where p gV: 



Given a transition system T = {S, {Sp \ p G V}, and a CTL formula ip, we define the semantics 
IpIt C 5 by induction on the structure of (p as follows: [pj-p = Sp for each p £ V, {-'^pJt = 

S \ Mt, Ipi a ip2jT = Mt n lip2jT, l^XipjT = {seS\3s' e Mt : S ^ S'}, l3ipi[Jip2jT = 

{seS\3TTe path+(T) : vn = s,7r|^| G Mr^^i S [|7r[ - 1] : vr^ G Mt}, l3^i\N(]p2jT = 
l3ipi\Jip2jT U{s £ S \ 3tt e path^(r) : vri = s, Vi > 1 : vr^ G IpiIt}- We also write (T, s) \= p 
(or briefly s |= if T is clear from the context) for s G [v?]t- We introduce the usual abbreviations 
V = ^{^^1 A -^^2), = -i3X-i(/?, 3fip = 3{p'V ^p)\Jip, and 3Gip = 3ip\N\J{p A -ip) for 
some p gV. Formulas of the CTL-fragment EF are given by the following grammar, where p £ V: 
ip ::= p I -199 \ ip /\ p \ 3X99 I 3^ip. The size of CTL formulas is defined as follows: \p\ = 1, 
= \3Xp\ = \p\ + 1, \pi ^p2\ = \pi\ + \p2\ + 1, |3(/?iU9?2| = \3pi\N\]p2\ = + + 1- 

4. CTL on OCPs: Periodic behaviour and upper bounds 

The goal of this section is to prove a periodicity property of CTL over OCPs, which implies 
an upper bound for CTL on OCPs, see Thm. 14.21 As a corollary, we state that for a fixed OCP, 
CTL model checking restricted to formulas of fixed leftward until depth (see the definition below) 
can be done in polynomial time. We define the leftward until depth lud of CTL formulas induc- 
tively as follows: lud(p) = for p G lud(-iV9) = lud(3X(/?) = lud(93), hid{pi A 922) = 
max{lud((/Ji), lud((/?2)}> lud(399iU(/?2) = lud(399iWU(/J2) = max{lud((/?i) + 1, lud(992)}- A 
similar definition of until depth can be found in ll24l . but there the until depth of 3pi\3p2 is 1 plus 
the maximum of the until depths of pi and p2. Note that \\x(i{p) < 1 for every EF formula p. 

Let us fix an OCP O = {Q, {Qp | p G V}, So,6yo) for the rest of this section. Let \Q\ = k and 
define K = LCM{[k]) and = for each CTL formula p^. 

Theorem 4.1. For all CTL formulas p, allq G Q and all n,n' > 2-\p\- k'^-K^ with n = n' mod K^: 



Proof sketch. We prove the theorem by induction on the structure of p. We only treat the difficult 
case (p = 3'tpl[J^p2 here. Let T = max{2 • • /c^ • K^. \ i G {1,2}}. Let us prove equivalence 
(14.11 ). Note that = LCM{ A' • K^-^ , K^^ } by definition. Let us fix an arbitrary control location 
q £ Q and naturals n, n' G N such that 2 ■ \p\ ■ k"^ ■ < n < n' and n = n' mod A'^. We have 
to prove that {q, n) G I</7lr(0) if ^i^^ ^"^y if il^ ^ Iv^It(O)- For this, let d = n' — n, which is a 
multiple of K^p. We only treat the "if'-direction here and recommend the reader to consult fT4l for 
helpful illustrations. So let us assume that {q,n') G |v3]t(0)- To prove that {q,n) G [(^Jj-i^o), we 
will use the following claim. 

Claim: Assume some |V'i|T(o)"P^th vr = [(gi,ni) {q2,n2) ■ ■ ■ ^ {Qhni)] with Ui > T 
for all i G [/] and ni — n/ > k"^ ■ K ■ K^^. Then there exists a |V'i]T(o)"P^th from {qi,ni) to 
{qi,ni + K ■ AT^i ), whose counter values are all strictly above T + K ■ K^^ . 

The claim tells us that paths that lose height at least k^ ■ K ■ K^^ and whose states all have counter 
values strictly above T can be flattened (without changing the starting state) by height K ■ K^-^ . 



p I -199 j 99 A 99 I 3X99 I 399U99 I 3p\N[}(p. 





(4.1) 
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Proof of the claim. For each counter value h € {rii | i G [/]} that appears in vr, let ^{h) = 
min{i € [/] \ rn = h} denote the minimal position in vr whose corresponding state has counter 
value h. Define A = A: • K^^ . We will be interested ink ■ K many consecutive intervals (of counter 
values) each of size A. Define the bottom b = ni — {k ■ K) ■ A. Formally, an interval is a set 
h = [6 + (i — 1) • A, 6 + z • A] for some i & [k ■ K]. Since each interval has size A = /c • K^^, 
we can think of each interval /j to consist of k consecutive sub-intervals of size K^^ each. Note 
that each sub-interval has two extremal elements, namely its upper and lower boundary. Thus all k 
sub-intervals have k + 1 boundaries in total. Hence, by the pigeonhole principle, for each interval 
li, there exists some q E [k] and two distinct boundaries > (3{i,2) of distance q • K^-^ 

such that the control location of vr's earliest state of counter value 1) agrees with the control 
location of vr's earliest state of counter value /3(i, 2), i.e., formally g^(/3{i,i)) = 9/i(/3(j,2))- Observe 
that flattening the path tt by gluing together vr's states at position 1)) and n{/3{i, 2)) (for this, 

we add Cj • K,^-^ to each counter value at a position > /3(i,2)) still results in a |^/;i]T(0))"P^th by 
induction hypothesis, since we reduced the height of tt by a multiple of K^^ . Our overall goal is to 
flatten vr by gluing together states only of certain intervals such that we obtain a path whose height 
is in total by precisely K ■ K^^ smaller than vr's. Recall that there are k ■ K many intervals. By 
the pigeonhole principle there is some c E [A;] such that Cj = c for at least K many intervals Jj. 
By gluing together ^ E N pairs of states of distance c • K^-^ each, we reduce vr's height by exactly 
^ • c • K^-^^ = K ■ K^^ . This proves the claim. 

Let us finish the proof the "if'-direction. Since by assumption (g, n') E Iv1t(o)' there exists 
a finite path vr = (gi,ni) fe,?^2) ^ • • • ^ {qwrii), where ■k[1,1 - 1] is a 7.(0) -path, 
(g,n') = (gi,ni), and where {quni) E [V'21t(0)- To prove (g,n) E |v7]t(o)> we will assume that 
Hj > T for each j E [/] . The case when nj = T for some j E [/] can be proven similarly. Assume 
first that the path vr [1 , Z — 1] contains two states whose counter difference is at least k^ -K- K^^ + K^p 
which is (strictly) greater than k"^ ■ K ■ K^^ . Since K^p is a multiple of K ■ K^-^ by definition, we can 
apply the above claim E N many times to 7r[l, / — 1]. This reduces the height by K^p. We 

repeat this flattening process of 7r[l, / — 1] by height K^p as long as possible, i.e., until any two states 
have counter difference smaller than k"^ ■ K ■ K^^ + K^. Let a denote the |^/'i]2-(0))-path starting in 
{q, n') that we obtain from 7r[l, / — 1] by this process. Thus, a ends in some state, whose counter 
value is congruent ni-i modulo (since we flattened 7r[l, / — 1] by a multiple of K^). Since 
is in turn a multiple of K^^ , we can build a path a' which extends the path cr by a single transition 
to some state that satisfies 1/^2 by induction hypothesis. Moreover, by our flattening process, the 
counter difference between any two states in a' is at most k"^ ■ K ■ K^^ + K^p < 2 • A;^ • K^p. Recall 
that T = max{2 • iV^j] • A;^ • ivT^J i E {1, 2}}. As 

n > 2 ■ \(p\ ■ k'^ ■ = 2- {\ip\-l + l) -k"^ ■ > T + 2-k'^ -K^, 

it follows that the path that results from a' by subtracting d from each counter value (this path starts 
in (g, n)) is strictly above T. Moreover, since d is a multiple of K^-^ and K^^, this path witnesses 
{q, n) E [93]r(o) by induction hypothesis. ■ 

The following result can be obtained basically by using the standard model checking algorithm 
for CTL on finite systems (see e.g. ||2j|) in combination with Thm. 14.1 1 

Theorem 4.2. For a given one-counter process O = (Q, {Qp \ p E V}, ^o, (5>o), a CTL formula 
ip, a control location q G Q, and n E N given in binary, one can decide {q, n) E |v'lr(0) time 
0(log(n) + |g|3 . |(^|2 . 4lQI-i"d(^) ■ |,5o U 5>o|). 
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Figure 1: The one-counter net O for which CTL model checking is PSPACE-hard 



As a corollary, we can deduce that for every fixed OCP O and every fixed k the question if for 
a given state s and a given CTL formula (p with lud{ip) < k, we have (T(0), s) \= ip, is in P. This 
generalizes a result from 1.13,1 . stating that the expression complexity of EF over OCPs is in P. 

5. Expression complexity for CTL is hard for PSPACE 

The goal of this section is to prove that model checking CTL is PSPACE-hard already over a 
fixed OCN. We show this via a reduction from the well-known PSPACE-complete problem QBF. 
Our lower bound proof is separated into three steps. In step one, we define a family of CTL formulas 
i^i)i>i such that over the fixed OCN O that is depicted in Fig.HJwe can express (non-)divisibility by 
2*. In step two, we define a family of CTL formulas {Tpi)i>i such that over O we can express if the 
bit in the binary representation of a natural is set to 1. In our final step, we give the reduction from 
QBF. For step one, we need the following simple fact which characterizes divisibility by powers of 
two (recall that [n] = {!,..., n}, in particular [0] = 0): 

Vn > 0,z > 1 : 2* divides n <^ (2*^^ divides n A |{n' e [n] \ divides n'}[ is even) (5.1) 

The set of propositions of O in Fig. [T] coincides with its control locations. Recall that O's zero 
transitions are denoted by and O's positive transitions are denoted by (5>o. Since C (5>o, O is 
indeed an OCN. Note that both t and t are control locations of O. Now we define a family of CTL 
formulas {}Pi)i>\ such that for each n € N we have: (i) (f, n) |= ipi if and only if 2* divides n and 
(ii) (t , n) \= (pi if and only if 2* does not divide n. On first sight, it might seem superfluous to let 
the control location t represent divisibility by powers of two and the control location t to represent 
non-divisibility by powers of two since CTL allows negation. However the fact that we have only 
one family of formulas {ipi)i>i to express both divisibility and non-divisibility is a crucial technical 
subtlety that is necessary in order to avoid an exponential blowup in formula size. By making use of 
(15.11 ). we construct the formulas pi inductively. First, let us define the auxiliary formulas test = tVt 
and (/?o = go V gi V V ^3. Think of p^ to hold in those control locations that altogether are situated 
in the "diamond" in Fig.[T] We define 

ipi = test A 3X (/ A EF(/ A -^3Xg)) and 

Pi = test A 3X (3((/?o A 3X(/?i_i) U {qo A -iBXgi)) for i > 1. 

Since pi^i is only used once in pi, we get \pi\ € 0{i). The following lemma states the correctness 
of the construction. 

Lemma 5.1. Let n > and i > I. Then 

• {t, n) \= Pi if and only if 2^ divides n. 
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• {t, n) \= ipi if and only if 2^ does not divide n. 

Proof sketch. The lemma is proved by induction on i. The induction base for i = 1 is easy to check. 
For i > 1, observe that Lpi can only be true either in control location t or t. Note that the formula 
right to the until symbol in Lpi expresses that we are in qq and that the current counter value is zero. 
Also note that the formula left to the until symbol requires that Lp^ holds, i.e., we are always in one 
of the four "diamond control locations". In other words, we decrement the counter by moving along 
the diamond control locations (by possibly looping at qi and gs) and always check if 3X99j_i holds, 
just until we are in and the counter value is zero. Since there are transitions from qi and (73 to t 
(but not to t), the induction hypothesis implies that the formula BX^jj^i can be only true in qi and 
(73 as long as the current counter value is not divisible by 2*^^. Similarly, since there are transitions 
from go and q2 to t (but not to t), the induction hypothesis implies that the formula 3X(/3j_i can be 
only true in go and 52 if the current counter value is divisible by 2*^^. With (15.11) this implies the 
lemma. ■ 

For expressing if the bit of a natural is set to 1, we make use of the following simple fact: 

Vn > 0, i > 1 : biti(n) = 1 \{n' G [n] \ 2'~^ divides n']\ is odd (5.2) 

Let us now define a family of CTL formulas {il)i)i>i such that for each n E N we have bitj(n) = 1 
if and only if (t, n) |= ipi. We set ^1 = (pi and Tpi = t A 3X{{qi V 52) A fii), where fii = 
3{ipQ A3Xipi^i) U (go A-i3Xgi) for each i > 1. Due to the construction of ^/^j and since \ipi\ G 0{i), 
we obtain that \ipi\ G 0{i). The following lemma states the correctness of the construction. 

Lemma 5.2. Let n > and let i>l. Then (t, n) \= ipi if and only ifbiti{n) = 1. 

Let us sketch the final step of the reduction from QBF For this, let us assume some quantified 
Boolean formula a = Qk^k Qk-iXk-i ■ ■ ■ Qixi : /^(xi, . . . , Xk), where /3 is a Boolean formula 
over variables {xi, . . . , x^} and Qi € {3, V} is a quantifier for each i G [k]. Think of each truth 
assignment '0 : {xi, . . . , Xk} {0, 1} to correspond to the natural number n{'&) G [0, 2^ — 1], where 
biti(ra(i?)) = 1 if and only if T?(xj) = 1, for each i G [A;]. Let /3 be the CTL formula that is obtained 
from P by replacing each occurrence of Xj by ipi, which corresponds to applying Lemma \5?2\ It 
remains to describe how we deal with quantification. Think of this as to consecutively incrementing 
the counter from state {t, 0) as follows. First, setting the variable x^ to 1 will correspond to adding 
2^~^ to the counter and getting to state (t, 2*^^^). Setting Xk to on the other hand will correspond 
to adding to the counter and hence remaining in state {t, 0). Next, setting Xk-i to 1 corresponds 
to adding to the current counter value 2^^^, whereas setting x^^i to corresponds to adding 0, 
as expected. These incrementation steps can be achieved using the formulas ipi from Lemma ISTT] 
Finally, after setting variable xi either to or 1, we verify if the CTL formula /3 holds. Formally, let 
Oi = A if = 3 and Qi = — ^ if Qi = V for each i G [k] (recall that Q/j, . . . , Qi are the quantifiers 
of our quantified Boolean formula a). Let 61 = QiX ((po V pi) Qi 3X /3) and for i G [2, k]: 

Oi = QiX (^{po V pi) 3 (^{po V 3X (t A ipi^i)) U (t A A 

Then, it can be show that a is valid if and only if {t, 0) G |^fc]T(o)- 

Theorem 5.3. CTL model checking of the fixed OCN Ofrom Fig. [7]j5 PSPACE-/jarJ. 

Note that the constructed CTL formula has leftward until depth that depends on the size of 
a. By Thm. 14.2] this cannot be avoided unless P = PS PACE. Observe that in order to express 
divisibility by powers of two, our CTL formulas (93i)i>o have linearly growing leftward until depth. 
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6. Tools from complexity theory 

For Sec. |7] and [8] we need some concepts from complexity theory. By pi^PIiog] we denote 
the class of all problems that can be solved on a polynomially time bounded deterministic Turing 
machines which can have access to an NP-oracle only logarithmically many times, and by P^^ the 
corresponding class without the restriction to logarithmically many queries. Let us briefly recall 
the definition of the circuit complexity class NC^, more details can be found in [26 1. We consider 
Boolean circuits C = C{xi, . . . , x„) built up from AND- and OR-gates. Each input gate is labeled 
with a variable Xi or a negated variable -iXj. The output gates are linearly ordered. Such a circuit 
computes a function fc : {0, 1}" — > {0, 1}*", where m is the number of output gates, in the obvious 
way. The fan-in of a circuit is the maximal number of incoming wires of a gate in the circuit. The 
depth of a circuit is the number of gates along a longest path from an input gate to an output gate. A 
logspace-uniform NC^ -circuit family is a sequence (C„)„>i of Boolean circuits such that for some 
polynomial p{n) and constant c: (i) C„ contains at most p{n) many gates, (ii) the depth of C„ is 
at most c • log(n), (iii) the fan-in of C„ is at most 2, (iv) for each m there is at most one circuit in 
(Cn)n>i with exactly m input gates, and (v) there exists a logspace transducer that computes on 
input 1" a representation (e.g. as a node-labeled graph) of the circuit C„. Such a circuit family 
computes a partial mapping on {0, 1}* in the obvious way (note that we do not require to have for 
every n > a circuit with exactly n input gates in the family, therefore the computed mapping is in 
general only partially defined). In the literature on circuit complexity one can find more restrictive 
notions of uniformity, see e.g. [26], but logspace uniformity suffices for our purposes. In fact, 
polynomial time uniformity suffices for proving our lower bounds w.r.t. polynomial time reductions. 

For m > 1 and < M < 2™ - 1 let BIN„(M) = bit^(M) • • •biti(M) e {0, 1}™ denote 
the m-bit binary representation of M. Let pi denote the i^^ prime number. It is well-known that 
the prime requires 0(log(i)) bits in its binary representation. For a number < Af < Hl^lil^i 
we define the Chinese remainder representation CRRm(M) as the Boolean tuple CRRm(M) = 
{xi^r)i&[m],o<r<pi with Xi^r = 1 if M mod = r and xi^r = else. By the following theorem, one 
can transform a Chinese remainder representation very efficiently into binary representation. 

Theorem 6.1 (El). There is a logspace-uniform HC^ -circuit family (i?m((a;j,r)ig[m],o<r<pi))m>i 
such that for every m > 1, Bm has m output gates and for every < M < Hi^i Pi have that 
B^{CRRm{M)) = Bm^iMmodl""). 

By ifTTl . we could replace logspace-uniform NC^-circuits in Thm. 16. ll even by DLOGTIME- 
uniform TC°-circuits. The existence of a P-uniform NC^-circuit family for converting from Chinese 
remainder representation to binary representation was already shown in 131. Usually the Chinese 
remainder representation of M is the tuple (rj)jg[„], where ri = M modpj. Since the primes pi 
will be always given in unary notation, there is no essential difference between this representation 
and our Chinese remainder representation. The latter is more suitable for our purpose. 

The following definition of NC^-serializability is a variant of the more classical notion of se- 
rializability HI [161, which fits our purpose better. A language L is NC^-serializable if there exists 
an NFA A over the alphabet {0, 1}, a polynomial p{n), and a logspace-uniform NC^-circuit family 
(Cn)ra>o> where C„ has exactly n+p(n) many inputs and one output, such that for every x G {0, 1}" 
we have x € L if and only if C„(x, O*'^")) • • • C„(x, g L{A), where "• • • " refers to the lex- 

icographic order on {0, With this definition, it can be shown that all languages in PSPACE 

are NC^-serializable. A proof can be found in the appendix of [14|; it is just a slight adaptation of 
the proofs from ll8l[T6]|. 
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7. Data complexity for CTL is hard for PSPACE 

In this section, we prove that also the data complexity of CTL over OCNs is hard for PSPACE 
and therefore PSPACE-complete by the known upper bounds for the modal ^-calculus f23l. Let 
us fix the set of propositions V = {a, /3, 7} for this section. In the following, w.l.o.g. we allow 
in ^0 (resp. in (5>o) transitions of the kind {q, k, q'), where /c € N (resp. A; G Z) is given in unary 
representation with the expected intuitive meaning. 

Proposition 7.1. For the fixed formula 99 = (q ^ 3X(/3 A EF(-i3X7))) the following problem 
can be solved with a logspace transducer: 

INPUT: A list pi, . . . , pm of the first m consecutive ( unary encoded) prime numbers and a Boolean 
formula F = F{{xi^r)ie[m],o<r<pJ 

OUTPUT: An OCN 0{F) with distinguished control locations in and out, such that for every num- 
berO < M < YllLiPiWe have that F{CKRm{M)) = 1 if and only if there exists a lipJx{o(F))'P<^th 
from (in, M) to (out, M) in the transition system T{0{F)). 

Proof. W.l.o.g., negations occur in F only in front of variables. Then additionally, a negated variable 
-iXj^r can be replaced by the disjunction \ < k < pi,r ^ k}. This can be done in logspace, 

since the primes pi are given in unary. Thus, we can assume that F does not contain negations. 

The idea is to traverse the Boolean formula F with the OCN 0(F) in a depth first manner. Each 
time a variable Xi^r is seen, the OCN may also enter another branch, where it is checked, whether the 
current counter value is congruent r modulo pi. Let 0(F) = {Q, {Qa,Q/s, Q-y}, So,^>o)> where 
Q = {in(G), out(G) I G is a subformula of F} U {div(pi), . . . , div(j?m), -L}, <5q = {'"(a^i.r) I 
i G [m],0 < r < Pi}, Q/s = {div(pi), . . . , div(pm)}, and = We set in = in(F) and 

out = out(F). Let us now define the transition sets 6q and (5>o. For every subformula Gi A G2 or 
Gi V G2 of F we add the following transitions to 60 and (5>o: 

in(Gi A G2) ^ in(Gi), out(Gi) ^ in(G2), out(G2) ^ out(Gi A G2) 

in(Gi V G2) in(Gi), out(Gi) ^ out(Gi V G2) for all i G {1, 2} 

For every variable Xi^r we add to and (5>o the transition in(xj^r) out{xi^r)- Moreover, we 

add to (5>o the transitions in(xj^r-) — > div(pj). The transition in(xj^o) div(pj) is also added 

to 5q. For the control locations div(pj) we add to 5^q the transitions div(pj) — ^ div(pj) and 

div(pi) — h±. This concludes the description of the OCN 0(F). Correctness of the construction 
can be easily checked by induction on the structure of the formula F. m 

We are now ready to prove PSPACE-hardness of the data complexity. 

Tlieorem 7.2. There exists a fixed CTL formula of the form 3(pi[Jip2> where (pi and (p2 are EF 
formulas, for which it is PSP/KCE-complete to decide (T(0), {q, 0)) \= 3ipi\J(p2 for a given OCN 
O and a control location q ofO. 

Proof. Let us take an arbitrary language L in PSPACE. Recall from Sec. [6] that PSPACE is NC^- 
serializable. Thus, there exists an NFA A = {S, {0, 1}, 6, sq, Sj) over the alphabet {0, 1}, a poly- 
nomial p{n), and a logspace-uniform NC^-circuit family {Cn)n>o, where G„ has n + p{n) many 
inputs and one output, such that for every x G {0, 1}" we have: 

xeL ^ G„(x,Of("))---G„(:E,F(")) GL(^), (7.1) 

where "• • • " refers to the lexicographic order on {0, Fix an input x G {0, 1}". Our reduction 

can be split into the following five steps: 
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Step 1. Construct in logspace the circuit Cn- Fix the the first n inputs of Cn to the bits in x, and 
denote the resulting circuit by C; it has only m = p{n) many inputs. Then, (17.11 ) can be written as 

2'"-l 

x£L ^ Yl C(BIN™(M)) e L{A). (7.2) 

M=0 

Step 2. Compute the first m consecutive primes pi, . . . ,Pm- This is possible in logspace, see e.g. 
||9 |. Every pi is bounded polynomially in n. Hence, every pi can be written down in unary notation. 
Note that pi > 2™ (if m > 1). 

Step 3. Compute in logspace the circuit B = Bm{{xi^r)ie[m],o<r<p, 

) from Thm.iU Thus, B 

is a Boolean circuit of fan-in 2 and depth 0(log(m)) = 0(log(n)) with m output gates and 
B{CRRmiM)) = BIN^(M mod 2™) for every < M < UZiPi- 

Step 4. Now we compose the circuits B and C: For every i € [m], connect the input of 
the circuit C{xi, . . . ,Xm) with the output of the circuit B. The result is a circuit with fan- 
in 2 and depth 0(log(n)). In logspace, we can unfold this circuit into a Boolean formula F = 
F{{xi^r)i^[m],o<r<pi)- The resulting formula (or tree) has the same depth as the circuit, i.e., depth 
0(log(n)) and every tree node has at most 2 children. Hence, F has polynomial size. For every 
< M < 2" we have F(CRRm(M)) = C(BIN^(M)) and equivalence dH]) can be written as 

xeL ^ Yl F(CRRm(M)) G L{A). (7.3) 

M=0 

Step 5. We now apply our construction from Prop. 17.11 to the formula F. More precisely, let G 
be the Boolean formula AiG[m] ^*>^i where rj = 2™ mod pi for i G [m] (these remainders can be 
computed in logspace). For every 1-labeled transition r G 5 of the NFA A let 0(r) be a copy of the 
OCNO(FA^G). For every 0-labeled transition r G 5 let 0(t) be a copy of the OCN O(^FA^G). 
In both cases we write 0(r) as {Q{t), {(^^(t), Q^(t), Q^(r)}, (5o(t), (5>o(t)). Denote with in(r) 
(resp. out(T)) the control location of this copy that corresponds to in (resp. out) in 0{F). Hence, for 
every 6-labeled transition r G 5 (6 G {0, 1}) and every < M < YiiLi Pi there exists a |¥']t(o(t))" 
path (if is from Prop. Ol from (in(T), M) to (out(T), M) if and only if F(CRR„^(M)) = b and 
M ^ 2™. 

We now define an OCN O = (Q, {Qa, Qp, Q-y}, ^>q) as follows: We take the disjoint union 
of all the OCNs 0(t) for r G 5. Moreover, every state s G S of the NFA A becomes a control 
location of O, i.e. Q = S \J UreS Qi'^) ^^'^ Qp — Ure<5 Qpi''') for ^^^h p G {a, /3, 7}. We add to 
5o and 5>o for every r = (s, b,t) G 5 the transitions s in(r) and out(T) ^ t. Then, by Prop. 17.1 1 
and (17.31 ) we have 2; G L if and only if there exists a [99|y(-(0))-path in T(0) from (sq, 0) to (s, 2™) 
for some s G Sj. Also note that there is no |(^] '^(o^-path in r(0) from (sq, 0) to some configuration 
(s, Af) with s £ S and M > 2™. It remains to add to O some structure that enables O to check that 
the counter has reached the value 2™. For this, use again Prop. l7.ll to construct the OCN 0{G) (G 

is from above) and add it disjointly to O. Moreover, add to (5>o and 5o the transitions s -^^ in for all 
s G Sf, where in is the in control location of 0(G). Finally, introduce a new proposition p and set 
Qp = {out}, where out is the out control location of 0(G). By putting q = sqwc obtain: x G L if 
and only if (T(0), (g, 0)) \= 3{ip U p), where ip is from Prop. 17. ll This concludes the proof of the 
theorem. ■ 
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By slightly modifying the proof of Thm. 17.21 one can also prove that the fixed CTL formula 
can chosen to be of the form 3Gip, where is an EF formula. 

8. Two further applications: EF and one-counter Markov decision processes 

In this section, we present two further applications of Thm. l6.ll to OCPs. First, we state that the 
combined complexity for EF over OCNs is hard for P'^^. For formulas represented succinctly by 
directed acyclic graphs this was already shown in ifTSl . The point here is that we use the standard 
tree representation for formulas. 

Theorem 8.1. It is P^^-hard (and hence P^^ -complete by fT3lj to check (r(0), (go, 0)) ^ ^pfor 
given OCNO, state qo ofO, and EF formula (p. 

The proof of Thm. l8.ll is very similar to the proof of Thm. 17. 2[ but does not use the concept of 
serializability. We prove hardness by a reduction from the question whether the lexicographically 
maximal satisfying assignment of a Boolean formula is even when interpreted as a natural number. 
This problem is P'^'^-hai^d by [27|. At the moment we cannot prove that the data complexity of 
EF over OCPs is hard for P'^'^ (hardness for pi^Pposl was shown in ifTSl ). Analyzing the proof of 
Thm. 18.11 in lfT4l shows that the main obstacle is the fact that converting from Chinese remainder 
representation into binary representation is not possible by uniform AC*^ circuits (polynomial size 
circuits of constant depth and unbounded fan-in); this is provably the case. 

In the rest of the paper, we sketch a second application of our lower bound technique based 
on Thm. 16. 1[ see |14| for more details. This application concerns one-counter Markov decision 
processes. Markov decision processes (MDPs) extend classical Markov chains by allowing so called 
nondeterministic vertices. In these vertices, no probability distribution on the outgoing transitions 
is specified. The other vertices are called probabilistic vertices; in these vertices a probability 
distribution on the outgoing transitions is given. The idea is that in an MDP a player Eve plays 
against nature (represented by the probabilistic vertices). In each nondeterministic vertex v, Eve 
chooses a probability distribution on the outgoing transitions of v; this choice may depend on the 
past of the play (which is a path in the underlying graph ending in v) and is formally represented by 
a strategy for Eve. An MDP together with a strategy for Eve defines a Markov chain, whose state 
space is the unfolding of the graph underlying the MDP. Here, we consider infinite MDPs, which 
are finitely represented by OCPs; this formalism was introduced in [6] under the name one-counter 
Markov decision process (OC-MDP). With a given OC-MDP A and a set R of control locations 
of the OCP underlying A (a so called reachability constraint), two sets were associated in |6|: 
ValOne(i?) is the set of all vertices s of the MDP defined by A such that for every e > there 
exists a strategy a for Eve under which the probability of finally reaching from s a control location 
in R and at the same time having counter value is at least 1 — e. OptValOne(i?) is the set of all 
vertices s of the MDP defined by A for which there exists a specific strategy for Eve under which 
this probability is 1. It was shown in that for a given OC-MDP A, a set of control locations R, 
and a vertex s of the MDP defined by A, the question if s G OptValOne(ii) is PSPACE-hard and 
in EXPTIME. The same question for ValOne(i?) instead of OptValOne(i?) was shown to be hard 
for each level of the Boolean hierarchy BH, which is a hierarchy of complexity classes between NP 
and P'^^[^°s]. By applying our lower bound techniques (from Thm. 17.21) we can prove the following. 

Theorem 8.2. Membership in ValOne{R) is PSP/KCE-hard. 

As a byproduct of our proof, we also reprove PSPACE-hardness for OptValOne(i?). It is 
open, whether ValOne(i?) is decidable; the corresponding problem for MDPs defined by pushdown 
processes is undecidable ifTTI . 
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